Congress Looks into Resiliency of the Power Grid; Top 30 Exploited Vulnerabilities Need to be Patched; NSA Publishes Wireless Device Security Info

Most of the cybersecurity related issues are nothing new here – the new focus is really on supply chain security. The telling quote: “Large power transformers are only manufactured abroad…” and can take up to a year to be procured and delivered. The pandemic pointed out in a big way that while “just in time inventory” approaches reduce cost/increase profit, natural or political disruptions to transportation and delivery can lead to severe and prolonged outages. Mandatory backup capacity or increased availability of domestic sources raises costs but also raises resiliency and availability.

John Pescatore

Looking beyond the security of the components that operate the grid, leverage new collaboration opportunities to collaborate with CISA and peers to facilitate not only getting help when there is a problem, but also how to best implement pending standards, and possibly drive input in their creation. Irrespective of who your supplier is, foreign or domestic, evaluate their ability to deliver components needed to restore or augment your services. Include their supply chain challenges in the analysis.

Lee Neely

The risk associated with long lead times for grid components, to specifically include some large transformers, has been identified since the Clinton Administration. It has not decreased.

William Hugh Murray

This advisory yet again highlights vulnerabilities in perimeter security devices. Over the last couple of years, attackers have realized the poor code quality affecting not just home and small business appliances, but enterprise appliances as well. Your best defense is to limit your attack surface and disable as many features as possible. Do not expose any administrative web applications outside a tightly controlled administrative network.

Johannes Ullrich

Use this information to refine your risk based approach to vulnerability mitigations. Where you have products susceptible to these vulnerabilities, review the mitigations and IOCs to make sure that you have a comprehensive fix as well as being equipped to detect attempted or actual exploitation. Next, include your development team in reviewing the Mitre 2021 CWE top 25 most dangerous software weaknesses.

Lee Neely

It has been very obvious that IT operations (who in most organizations is responsible for patching servers and PCs) have been consumed with just keeping the applications and services running as the pandemic drove the need to support full time work from home and caused workforce and support disruptions. Time to patch has increased. Security mitigations must take that into account – increasing visibility, asset inventory (essentially Implementation Group 1 of the CIS Critical Security controls) but also putting shielding and/or segmentation around vulnerable systems that are just going to take longer to patch. When hurricanes are hitting every few days, you have to leave the plywood up over the windows – hoping the windows get stronger does not increase safety.

John Pescatore

To ensure that patching gets necessary attention and resources, effective patching should be both measured and reported to stake holders.

William Hugh Murray

Just a week ago, Apple patched the SSID Format String flaw that in some cases could lead to arbitrary remote execution when joining a malicious WiFi network. It comes back down to reducing your attack surface again: Turn off radios you are not using. This can be challenging for a mobile device that isn't doing much without network connection and a Bluetooth connection for headsets.

Johannes Ullrich

This does a good job explaining the risks as well as a providing tables of Do’s and Don’ts you should incorporate into your UAT program. This is not just Wi-Fi, this is also about Bluetooth, NFC, and mitigations which are easy to take and raise the bar on the security of those services. Don’t forget to remind users that even with these mitigations, the area being used to perform work still needs to be appropriate, beware of who can see and hear your screen, conversation and any paper notes or documents in use.

Lee Neely

Wireless attacks do not scale well; the risk has always been from the wired side. While still vulnerable, and perhaps only for the moment, cellular is safer than WiFi (except in Washington DC). Devices that connect directly to the public networks should not also connect to the enterprise network. Business travelers should practice good hygiene.

William Hugh Murray

Not much new here, but more reports coming. Similar to the Congressional hearing item, the technical and policy issues around critical infrastructure are well known, the supply chain disruption issue and lack of resiliency is the area where prioritized actions are needed.

John Pescatore

Most of the critical infrastructure is managed by the private sector, not government. The two most important components of the nation's infrastructure are power and finance. One of those is doing a much better job of security than the other.

William Hugh Murray

This is a complex topic and has to be considered carefully. If you do elect to make a payment, understand how you’re impacted by the Office of Foreign Assets Control (OFAC) in addition to local or national legislation. Build relationships needed for reporting and response of a ransomware attack now. Leverage references like the StopRansomware.gov web site to get a leg up on preparedness.

Lee Neely

Read the report from SentinelOne to see how this new malware works. The report includes links to IoCs and YARA rules you can implement to aid detection and hunting activities. This wiper is designed to completely cripple a target’s systems, and includes functions ranging from changing passwords, disabling screen savers and altering boot records to creating processes and executing commands, reinforcing the need for those indicators.

Lee Neely

The current hostile environment requires that enterprises may have to recover whole networks, rather than simply a file or two. Ensure the capability to recover entire applications in hours to days.

William Hugh Murray

The patch was released on May 5th, less than 24 hours after the developers were notified of the flaw. If you are using the WordPress Download Manager plugin, make sure you’re using version 3.1.25 or later. The file upload weakness could be used to upload executable content to perform a site takeover, while the information disclosure weakness allowed for a path traversal exploit to allow viewing of arbitrary or sensitive files. E.g, wp-config.php. Make sure you are either updated or remove this plugin if not actively used.

Lee Neely

Does it bear repeating that WordPress plugins should never be included by default but only after careful consideration and must be carefully managed?

William Hugh Murray

The investigation leveraged the EMPACT framework and included authorities from Poland, Germany, Austria, Switzerland, Czech Republic and Slovakia. The attacks required physical access to the ATMs and necessitated drilling holes or melting parts to access the connection used by the laptop to compromise the ATM. As sexy as it sounds to jackpot an ATM, remember they not only have tamper detection but also surveillance making it unlikely your actions would go undetected.

Lee Neely

Intuitively one might conclude that these attacks constitute a significant risk. However, they do not scale well, require physical access, and result in limited losses (thousands to low tens of thousands of dollars per ATM.) Cash just isn't what it used to be.

William Hugh Murray

Notifications to impacted individuals will not be sent until the investigation is complete and will offer one year of credit monitoring and identity theft protection through Experian IdentityWorks. Actions are already underway to prevent recurrence including updating credentials and disabling access points. If you are a UC San Diego Heath employee, student or patient, monitor your accounts and credit report for unexpected activity, or, if you don’t already have it, seek out your own identity and credit protection solution.

Lee Neely

A single user clicking on bait should not compromise the enterprise. Browsing and e-mail are the applications where users are most likely to encounter bait. These should be isolated from mission critical applications.

William Hugh Murray